AU: Support signed payload verification through the delta generator.

generate_delta_main.cc

 // Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <unistd.h>
 
@@ skipping 22 matching lines @@
 DEFINE_string(old_image, "", "Path to the old rootfs");
 DEFINE_string(new_image, "", "Path to the new rootfs");
 DEFINE_string(old_kernel, "", "Path to the old kernel partition image");
 DEFINE_string(new_kernel, "", "Path to the new kernel partition image");
 DEFINE_string(in_file, "",
               "Path to input delta payload file used to hash/sign payloads "
               "and apply delta over old_image (for debugging)");
 DEFINE_string(out_file, "", "Path to output delta payload file");
 DEFINE_string(out_hash_file, "", "Path to output hash file");
 DEFINE_string(private_key, "", "Path to private key in .pem format");
+DEFINE_string(public_key, "", "Path to public key in .pem format");
 DEFINE_string(prefs_dir, "/tmp/update_engine_prefs",
               "Preferences directory, used with apply_delta");
 DEFINE_int32(signature_size, 0, "Raw signature size used for hash calculation");
 DEFINE_string(signature_file, "", "Raw signature file to sign payload with");
 
 // This file contains a simple program that takes an old path, a new path,
 // and an output file as arguments and the path to an output file and
 // generates a delta that can be sent to Chrome OS clients.
 
 using std::set;
@@ skipping 34 matching lines @@
       << "Must pass --out_file to sign payload.";
   LOG_IF(FATAL, FLAGS_signature_file.empty())
       << "Must pass --signature_file to sign payload.";
   vector<char> signature;
   CHECK(utils::ReadFile(FLAGS_signature_file, &signature));
   CHECK(PayloadSigner::AddSignatureToPayload(
       FLAGS_in_file, signature, FLAGS_out_file));
   LOG(INFO) << "Done signing payload.";
 }
 
+void VerifySignedPayload() {
+  LOG(INFO) << "Verifying signed payload.";
+  LOG_IF(FATAL, FLAGS_in_file.empty())
+      << "Must pass --in_file to verify signed payload.";
+  LOG_IF(FATAL, FLAGS_public_key.empty())
+      << "Must pass --public_key to verify signed payload.";
+  CHECK(PayloadSigner::VerifySignedPayload(FLAGS_in_file, FLAGS_public_key));
+  LOG(INFO) << "Done verifying signed payload.";
+}
+
 void ApplyDelta() {
   LOG(INFO) << "Applying delta.";
   LOG_IF(FATAL, FLAGS_old_image.empty())
       << "Must pass --old_image to apply delta.";
   Prefs prefs;
   LOG(INFO) << "Setting up preferences under: " << FLAGS_prefs_dir;
   LOG_IF(ERROR, !prefs.Init(FilePath(FLAGS_prefs_dir)))
       << "Failed to initialize preferences.";
   // Get original checksums
   LOG(INFO) << "Calculating original checksums";
@@ skipping 40 matching lines @@
                        logging::DONT_LOCK_LOG_FILE,
                        logging::APPEND_TO_OLD_LOG_FILE);
   if (FLAGS_signature_size > 0 || !FLAGS_out_hash_file.empty()) {
     CalculatePayloadHashForSigning();
     return 0;
   }
   if (!FLAGS_signature_file.empty()) {
     SignPayload();
     return 0;
   }
+  if (!FLAGS_public_key.empty()) {
+    VerifySignedPayload();
+    return 0;
+  }
   if (!FLAGS_in_file.empty()) {
     ApplyDelta();
     return 0;
   }
   CHECK(!FLAGS_new_image.empty());
   CHECK(!FLAGS_out_file.empty());
   CHECK(!FLAGS_new_kernel.empty());
   if (FLAGS_old_image.empty()) {
     LOG(INFO) << "Generating full update";
   } else {
@@ skipping 16 matching lines @@
   return 0;
 }
 
 }  // namespace {}
 
 }  // namespace chromeos_update_engine
 
 int main(int argc, char** argv) {
   return chromeos_update_engine::Main(argc, argv);
 }